0

So, I want to send a GET request from my FFQuantum console and examine the response (the header) that I receive as response. I just want to check the fields, nothing more.

Now, when I run this script on this website (https://stackoverflow.com/), with this code:

var req = new XMLHttpRequest();
var web_adress = 'https://stackoverflow.com/';
req.open('GET', web_adress, false);
req.send(null);
var headers = req.getAllResponseHeaders().toLowerCase();
alert(headers);

I get the header just right, but when I'm for example, on Google, then I get the error:

For results, I expect to see filled popup but I get the empty one. That is for when I'm on Google and trying to fetch the Stack's header.

What am I getting?

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://stackoverflow.com/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Is there a way to get the headers from StackOverflow when I'm on Googles pages?

  • Try instead using `var web_adress = 'https://cors-anywhere.herokuapp.com/https://stackoverflow.com/'` and for an explanation of what that does, see the *How to use a CORS proxy to get around “No Access-Control-Allow-Origin header” problems* section of the answer at https://stackoverflow.com/questions/43871637/no-access-control-allow-origin-header-is-present-on-the-requested-resource-whe/43881141#43881141 – sideshowbarker Dec 08 '17 at 21:48

1 Answers1

0

No, you can't. Is is because of security. Browser don't allow you to send requests across domains! To allow this action stackoverflow must return something like this:

Access-Control-Allow-Origin: https://google.com

But there isn't this header in response. If you want to do something like this - try to use special browsers which do not use The Same Origin Policy or some other soft. Phantomjs for example or nodejs (if you want to do it with JS) or curl request etc.

But probaby you can do something like this:

google.com => yourdomain.com => stackoverflow.com

Here you use your host like a proxy (remember that you need to set Access-Control-Allow-Origin: *)

The problem is in browser security =)

Ruboss
  • 64
  • 1
  • 7
  • And how can I test to see if that website allows CORS? Some feed back from that site, like, hey! we allow CORS, so you can do this. – Learn on hard way Dec 08 '17 at 10:20
  • There must be an header `Access-Control-Allow-Origin` in response from a server. The value of this header describe who are allowed do requests (means domains) to it. – Ruboss Dec 08 '17 at 17:53